Cyprus law provides two legal definitions of cryptoassets arising under separate legislative frameworks.
The first arises under the Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007 (Law 188(I)/2007) (the “AML Law”), as amended in February 2021 to transpose AMLD5.
Under section 2, a cryptoasset is defined as a digital representation of value that:
- is not issued or guaranteed by a central bank or public authority;
- is not necessarily linked to any officially established currency and lacks the legal status of money;
- is accepted by individuals as a means of exchange or investment;
- can be transferred, stored, or traded electronically; and
- does not constitute (a) fiat currency, (b) electronic money or (c) a financial instrument under the Investment Services and Activities and Regulated Markets Law of 2017 (Law 87(I)/2017).
This definition continues to apply under the AML Law, ensuring that all cryptoasset activities falling within its scope remain subject to anti-money laundering (AML) obligations, irrespective of whether they are regulated under the framework below.
The second framework stems from the Markets in Crypto-Assets Regulation (EU) 2023/1114 (MiCA), which became directly applicable across the EU on 30 December 2024.
Pursuant to Article 3 of MiCA, a cryptoasset is defined as a digital representation of value or rights that can be transferred and stored electronically using distributed ledger technology or similar technology.
MiCA distinguishes among three principal categories:
- E-money tokens (EMTs): cryptoassets referencing a single official currency to maintain a stable value, functioning in a manner akin to electronic money.
- Asset-referenced tokens (ARTs): cryptoassets referencing one or several assets, rights, or official currencies to stabilise their value.
- Cryptoassets other than ARTs and EMTs: this covers a wide variety of cryptoassets, including utility tokens.
Currently, the regulatory framework governing cryptoassets in Cyprus includes:
- the AML Law;
- CySEC Directive C417-2021 on the Registration and Operations of CASPs (the “CySEC Registration Directive”);
- CySEC Directive for the Prevention and Suppression of Money Laundering and Terrorist Financing (“AML Directive”);
- MiCA; and
- Transfer of Funds Regulation (EU) 2023/1113.
MiCA, the precursor of the crypto landscape, introduces a transitional period of up to 18 months from its date of application, during which national regimes for cryptoasset service providers (CASPs) will continue to apply.
Following CySEC’s announcement of 17 October 2024, no new CASP applications are accepted under the national regime. Existing registered entities will remain subject to the AML framework until 1 July 2026 or until their MiCA authorisation is granted or refused, whichever occurs earlier.
Regarding regulatory bodies, the Cyprus Securities and Exchange Commission (CySEC) is the primary authority supervising CASPs under the AML Law and MiCA.
The Unit for Combating Money Laundering and Financial Intelligence Unit of Cyprus (MOKAS) acts as the Financial Intelligence Unit, while the Central Bank of Cyprus and the Digital Security Authority oversee payment and cybersecurity aspects, respectively. Sanctions compliance is monitored by the National Sanctions Implementation Unit (NSIU) under the Ministry of Finance.
The regulation of cryptoassets in Cyprus depends on their legal character and functional attributes, as determined under the MiCA and, where applicable, other sectoral financial laws.
As mentioned in Question 1, above, MiCA distinguishes among three principal categories of cryptoassets.
- EMTs. These are cryptoassets designed to maintain a stable value by referencing a single official currency. They are functionally equivalent to electronic money under Directive 2009/110/EC and Law 81(I)/2012. EMT issuers must be authorised as credit institutions or Electronic Money Institutions (EMIs), supervised by the Central Bank of Cyprus, and comply with MiCA requirements for issuance, redemption, capital, and fund safeguarding.
- ARTs. These maintain value by referencing assets, rights, or official currencies. Issuance and public offerings are regulated under MiCA Title III and require CySEC authorisation. Issuers must publish a CySEC-approved white paper, maintain adequate reserves, and meet governance, disclosure, and conflict-of-interest requirements. If ARTs are deemed significant due to scale or systemic relevance, the European Banking Authority (EBA) provides enhanced supervision in cooperation with CySEC.
- Other cryptoassets. This category includes cryptoassets that are not EMTs or ARTs, such as utility tokens that provide access to goods or services by the issuer of this token. Issuers must prepare and submit a cryptoasset white paper to CySEC unless exempted for reasons such as small-scale offerings or free distributions.
It is worth noting that non-fungible tokens (NFTs) fall outside MiCA’s scope unless fractionalised or fungible in nature.
As indicated in Question 2, above, CySEC’s 17 October 2024 announcement was followed by the discontinuation, from 30 October 2024, of cross-border notifications by European Economic Area (EEA)-authorised CASPs.
Since 30 December 2024, Cyprus has applied MiCA, which establishes a harmonised EU-wide licensing regime for cryptoasset issuers and CASPs.
MiCA imposes a harmonised EU-wide authorisation regime on both CASPs and certain cryptoasset issuers, particularly EMTs, ARTs and utility tokens. Licensing requirements include incorporation in Cyprus with a local office and staff, submission of comprehensive documentation such as business plans, operational manuals, internal policies, AML/countering financing of terrorists (CFT) procedures, and risk management frameworks, and demonstration of the suitability and integrity of the management body, in line with European Securities and Markets Authority (ESMA) and EBA guidance.
Cryptoassets issued to the public or seeking admission to trading must publish and notify CySEC in advance of a white paper containing, inter alia, full and fair disclosure of the project, the issuer, and associated risks.
CASPs must meet governance, organisational and prudential obligations, including minimum capital between EUR 50,000 and EUR 150,000, depending on the services provided.
MiCA introduces a dedicated regime for the advertising and promotion of cryptoassets, and in Cyprus these rules are complemented by the Consumer Protection Law of 2021 (Law 112(I)/2021) (“the Consumer Law”), which governs all commercial communications directed to consumers, including influencer marketing.
Under MiCA, all advertising and marketing communications relating to cryptoassets or cryptoasset services must:
- be fair, clear, and not misleading;
- be consistent with the information contained in the approved or notified white paper;
- clearly identify the issuer or service provider; and
- avoid exaggerating potential returns or minimising risks.
MiCA prohibits market manipulation, insider dealing, and misleading practices, such as so-called “pump-and-dump” schemes.
Consumer protection is enhanced through detailed disclosure obligations, a right of withdrawal within 14 days for certain retail investors participating in public offers of cryptoassets, and accessible complaint-handling procedures.
CySEC is responsible for supervising advertising compliance. It may order the amendment, suspension, or withdrawal of non-compliant marketing materials, including digital and social media campaigns.
In July 2025, ESMA issued guidance reminding CASPs not to use MiCA authorisation as a marketing tool or to combine regulated and unregulated services in way that could mislead consumers.
In addition to MiCA, the promotion of cryptoassets to consumers is also subject to the Consumer Law, which provides conditions for lawful advertising in commercial practices, stipulating conditions for unfair trade practices, deceptive acts, misleading omissions, and aggressive practices.
Cryptoasset custodians operating in or from Cyprus are regulated under MiCA and supervised by CySEC.
Under this framework, any entity that safeguards or holds cryptoassets or private keys on behalf of clients is deemed a CASP and must obtain MiCA authorisation from CySEC before commencing business.
To be authorised as a custodian, a firm must:
- be incorporated in an EU Member State and have its registered office and central administration in Cyprus;
- satisfy governance, operational, and prudential requirements, including minimum capital thresholds and fit-and-proper standards for directors and key function holders;
- implement effective safeguarding arrangements and segregation of client assets;
- maintain adequate technological and security measures for the protection of clients’ cryptoassets and private keys; and
- establish complaints-handling and internal control procedures.
In addition, CASPs must ensure robust administrative and accounting procedures, internal controls, risk assessment mechanisms, and confidentiality of client information, while avoiding conflicts of interest. These combined requirements ensure that cryptoasset custodians operate securely, transparently, and in a manner that protects clients’ assets.
Pursuant to the AML Law, CASP entities are considered obligated entities and are thus required to comply with the AML Law and its relevant reporting obligations. Given this, they must adhere to rules, inter alia, in relation to:
- performing “Know Your Client” and other client due diligence measures;
- drawing the economic profile of clients;
- identifying the source of client funds;
- monitoring clients’ transactions on an ongoing and risk-based basis;
- ongoing monitoring and enhanced due diligence for higher-risk clients, including politically exposed persons or high-risk jurisdictions;
- identifying and reporting suspicious activity and transactions to MOKAS in line with AML Law and MiCA requirements;
- undertaking comprehensive risk assessments in relation to clients’ activities and taking proportionate measures per client, considering the activity and cryptoassets in question.
CASP licence holders must also establish internal AML/CFT policies and procedures, aligned with MiCA and the AML Law, and appoint a compliance officer, along with other key roles such as a risk manager and financial officer, to ensure governance, compliance, and prompt reporting of suspicious transactions to MOKAS.
The Cyprus legal system is interwoven and principally based on the English common law system. Pursuant to section 29 of the Courts of Justice Law (Law 14/1960), the Cyprus courts, in the absence of contrary legislation, must follow the principles of common law and equity. A fortiori, English case law is extensively applied and provides valuable guidance to the Cyprus courts.
The quintessential question of whether cryptoassets should be classified as “property” remains unaddressed by the legislator, and in the absence of any reasoned judgment from the Cyprus courts on this matter, it is anticipated that the Cyprus judiciary will align with the precedent set by the English court in the case of AA v. Persons Unknown & Ors [2019] EWHC 3556 (Comm), along with subsequent English decisions, which recognise cryptoassets as property. It is noteworthy that, despite the lack of published reasoned judgments, several interim proprietary and/or freezing injunctions concerning cryptoassets have been issued. This further indicates the propensity of the Cyprus courts to treat cryptoassets as property pursuant to Cyprus law.
Considering the analysis above, it is very likely that cryptoassets will be recognised and treated as property under Cyprus law, thereby allowing them to be owned, assigned, transferred and/or held in a trust.
It is noteworthy that, although no reasoned judgments have yet been published, the Cyprus courts have issued several interim proprietary and freezing injunctions involving cryptoassets. This is a clear willingness of the judicial system to treat cryptoassets as property within the meaning of Cyprus law.
The control and ownership of cryptoassets are intrinsically linked to the possession of the private key for the digital wallet containing the cryptoassets. Possessing the private key may, therefore, establish legal control and ownership.
Cyprus, like most jurisdictions, does not have a specific legislative regime for DAOs. Thus, the legal status of DAO remains grey.
Despite the prevailing uncertainty, a DAO could conceivably be categorised as a partnership, an unincorporated company, or an unincorporated association. With the increasing practical use of DAOs and the inevitable emergence of more issues and disputes, greater clarity is expected to emerge.
Under the MiCA, a CASP is defined in Article 3(1)(15) as “a legal person”.
Accordingly, a purely code-based or stateless DAO, where no person or entity can be held legally responsible, cannot fall within MiCA’s definition of a CASP, nor can it otherwise qualify as a regulated entity under the Regulation.
Thus, if a DAO engages in activities falling within MiCA’s scope — such as the issuance, exchange, or custody of cryptoassets — it must therefore operate through a legal entity.
The principal provisions governing insolvency and bankruptcy in Cyprus are contained within the Companies Law (Chapter 113) and the Bankruptcy Law (Chapter 5).
Presently, no dedicated insolvency/bankruptcy framework exists for addressing cryptoassets. As analysed in Question 8, above, Cyprus law will most likely treat cryptoassets as property.
Undoubtedly, the particular character of a cryptoasset, whether it assumes the form of a digital or virtual currency, coin, token, or equity/debt security, may affect its treatment within the ambit of Cyprus insolvency/bankruptcy law.
Further, under MiCA, CASPs are required to maintain segregated client accounts and detailed records, ensuring that client assets are legally and operationally ring-fenced from the CASP’s own; thus, as MiCA is now fully in force, this framework will provide a statutory layer of protection to clients in the event of a CASP insolvency.
While MiCA acknowledges the use of smart contracts for order execution and market activities, it does not itself establish their legal enforceability. The question of whether a smart contract constitutes a binding agreement remains subject to national contract law.
Cyprus contract law is modelled on English contract law and has been guided ever since by the English legal system. Contract Law (Chapter 149) is the key statute governing Cyprus contract law.
There are no established guidelines per se regarding the extent to which smart contracts are enforceable under Cyprus law. Nevertheless, when smart contracts (a) fulfil all the requirements for the formation of a legal contract (offer, acceptance, consideration, certainty and intention to create legal relations), and (b) do not introduce any novel legal issues concerning their legality and enforceability, there is no reason why they should not be treated the same as any other contract.
However, given the peculiar nature of smart contracts, enforcement per se is not required, as they inherently facilitate self-enforcement.
The Cyprus legal system is interwoven with and principally based on the English common law system. English case law and principles are extensively applied and provide valuable guidance to the Cyprus courts.
In recent years, the Cyprus courts have dealt extensively with a plethora of cross-border fraud disputes and have been readily prepared to assist victims of such fraud by, inter alia, issuing interlocutory injunctions on an urgent basis and/or where appropriate.
It is worth noting that since September 2023, a new set of Civil Procedure Rules (CPRs) have been introduced, which are modelled on the English CPRs.
As explained in Question 8, above, pursuant to Cyprus law, cryptoassets will most likely be considered as property. Given this, both proprietary and personal claims will be at the disposal of fraud victims.
A range of potential personal claims may include misrepresentation, deceit, conspiracy, unjust enrichment and conversion. Further, dishonest assistance and knowing receipt may also be of instrumental importance in casting the net of liability to third parties — provided that a breach of trust or fiduciary duty exists, along with their relevant requirements.
Further, the interim reliefs available in the armoury of civil fraud litigation will be at the disposal of victims of crypto fraud, including:
- Proprietary injunctions.
- Freezing orders along with ancillary disclosure orders.
- Chabra orders.
- Disclosure orders:
- Norwich Pharmacal orders; and
- Bankers Trust orders.
- Imaging and search orders.
- Appointment of an interim receiver.
- Any appropriate ancillary order to the above.
The issuance of such reliefs requires the fulfilment of certain requirements and invariably resides with the discretion of the courts to consider whether it is fair and just for such an order to be issued.
Although no reported case has yet been published, a number of interim proprietary and/or freezing injunctions have been issued by the Cyprus courts against crypto fraudsters.
It is worth noting that the new Cyprus CPRs enunciate both (a) the over-riding objective; and (b) the obligation on reliance on substance over form of the English CPRs, making it highly arguable that the Cyprus courts will readily espouse the principles of Persons Unknown orders, as introduced in the English judgment of Bloomsbury Publishing Group Ltd v. News Group Newspapers Ltd & Others [2003] EWHC 1087 Ch, and issue the much-needed relief of Persons Unknown orders against crypto fraudsters.
Lastly, Cyprus law provides crypto-fraud victims a number of mechanisms to enforce their judgments:
- writ of delivery, ordering crypto-exchange or fraudster(s) to deliver up cryptoassets to the judgment creditor(s);
- a writ of attachment (garnishee order);
- a charging order (and subsequent sale of such charged assets) over the interest of the judgment debtor’s shares, corporate debentures, unit trust and funds in court, owned by the judgment debtor;
- post-judgment disclosure for the purposes of enforcement (under CPR 58.1, which provides for the disclosure of assets and any other disclosure to effect the execution of the judgment);
- information about the judgment debtor’s assets (by way of an application for asset disclosure under the Civil Procedure Law (Chapter 6), which only allows for disclosure of assets (directly or indirectly) owned);
- an order for repayment of the judgment debt in instalments; and
- appointment of a receiver by virtue of equitable execution of the judgment.
Cyprus has solidified its position as a premier destination for the digital economy by enacting a dedicated, ultra-competitive tax regime for cryptoassets.
Pursuant to the new Article 20E of the Income Tax Law 2002 as amended (effective 1 January 2026), a flat tax rate of 8% applies to profits arising from the disposal of cryptoassets.
This landmark reform provides investors and entrepreneurs with unparalleled legislative certainty and one of the lowest taxation rates in EU.
To ensure legal consistency and alignment with European standards, Cyprus has adopted the definition of cryptoassets set out in MiCA, ensuring the tax code evolves in lockstep with EU regulatory developments.
The 8% flat rate is fixed for both individuals and companies and applies to a broad definition of “disposal”. This includes selling crypto for fiat currency, exchanging one cryptoasset for another, and using digital assets as a means of payment for goods or services. Crypto-specific losses can also be offset against crypto gains within the same tax year.
Furthermore, with the VAT exemption on currency exchanges and the total abolition of Stamp Duty on contracts, Cyprus now offers a sophisticated and friction-free ecosystem for the global digital economy.
CASPs operating in or from Cyprus are subject to the EU General Data Protection Regulation (GDPR) and its national implementation under the Law Providing for the Protection of Natural Persons with regard to the Processing of Personal Data (Law 125(I)/2018).
CASPs must establish internal data protection policies, appoint a data protection officer where required, and ensure that any cross-border transfers of personal data outside the EEA comply with the transfer mechanisms under GDPR.
Clients must be provided with clear and accessible privacy notices explaining how their data are processed, retained, and protected.
From a cybersecurity perspective, MiCA, the Digital Operational Resilience Act (DORA), and NIS2, as implemented through the Security of Network and Information Systems Law of 2020, together impose obligations on CASPs to maintain robust information and communication technology security, operational resilience, and incident reporting systems.
In Cyprus, staking, yield farming, and other DeFi activities are not specifically regulated. There is currently no domestic law that classifies or licenses these activities as regulated financial services.
Pursuant to MiCA, DeFi protocols are generally not regulated as such.
Where services are provided in a fully decentralised manner without an identifiable operator, they typically fall outside the scope of MiCA. However, if a Cyprus-based entity facilitates DeFi-related services for clients, such as custody of cryptoassets, operating a platform, or executing transactions on behalf of users, those activities are likely to qualify as cryptoasset services under MiCA. In that case, the entity must be authorised by CySEC as a CASP.
Registered CASPs are required to comply with AML/CFT obligations, including customer due diligence, suspicious transaction reporting, and maintaining internal controls. In summary, while Cyprus currently lacks DeFi-specific legislation, MiCA provides a regulatory framework that may apply to DeFi platforms and services, ensuring compliance with licensing, consumer protection, and prudential standards.
Cyprus continues to actively develop its legal and regulatory framework in alignment with the evolving European digital asset landscape, maintaining a position at the forefront of regional developments.
The country benefits from a mature and sophisticated financial services ecosystem, comprising MiFID-regulated investment firms, electronic money institutions, and well-established fintech and crypto operators. This concentration of institutional expertise has fostered a robust knowledge base and operational infrastructure that supports innovation while ensuring high standards of regulatory oversight.
In parallel, Cyprus has introduced significant fiscal reforms aimed at strengthening its competitiveness within the digital economy. Central to this package is a fixed 8% tax rate on cryptoasset disposals, representing one of the most attractive and transparent regimes in the European Union. These initiatives are further reinforced by Cyprus’s IP Box regime, which enables qualifying software and technology businesses to achieve an effective corporate tax rate as low as 3% on eligible profits.
Taken together, these developments confirm Cyprus’s ongoing commitment to pursuing further reforms that enhance its positioning as a premier, innovation-friendly jurisdiction for the digital asset sector.